The Security Environment of Cloud Computing

Cloud computing technology has taken off during the course of the 21st century. Beginning in 1999 with a Salesforce service offering to deliver enterprise applications through their website, the definition of the cloud computing service offering has been evolving as providers adapt to the needs of consumers. Presently, cloud computing can be defined as a specialized form of distributed computing that introduces utilization models for remotely provisioning scalable and measured resources. Cloud computing has the potential to reduce operating costs for organizations, provide convenience for the availability of data for personal computer users, and simplify the way that we use information systems today. However, just as with network environments of the past, cloud computing environments are susceptible to malware attacks, advanced persistent threats, and account credential cracking tools. Just as the cloud computing service offering continues to evolve, threat landscape surrounding it evolves at the same rate if not more rapidly. Recent issues in cloud computing environments such as Apple’s iCloud hack show that the lack of best security practices from a cloud consumer’s side can have just as devastating of an effect as a lack of security from the a cloud provider. The information systems that we built our economy upon were primarily focused on information sharing rather than information security and privacy. As the industry continues to proliferate throughout our lives and take a larger margin in the economic market, the information systems of the future must balance the confidentiality, integrity, and availability of data by using best practices in information security and privacy. Presently, the security in cloud computing environments is not adequate, and must be improved by using best practices from both cloud consumers and cloud providers.

The main focus of security in cloud computing is the software as a service (SaaS) offering. Storage solutions such as Apple’s iCloud, Google’s Drive, and Dropbox’s self-titled storage service are leaders in the industry. The reason that cloud storage is the main focus is because attackers most commonly penetrate network defenses to compromise sensitive data. Many companies and personal consumers utilize cloud storage for their sensitive data because it is often more cost efficient or more convenient to have data stored, managed, and backed up by another company. With data in the wrong hands having the potential to compromise anywhere from businesses intellectual property to people’s privacy, securing that data is a requirement not to be taken lightly. As covered earlier in this blog, it is important to balance the three aspects of the CIA triangle: Confidentiality, Integrity, and Availability.

A notable case study of a cloud computing environment being susce
ptible to attack from an anonymous attacker due to poor security practices is in Apple’s iCloud environment. iCloud is a cloud service that is available to anyone who has created a free Apple ID. There are many utilities within the iCloud suite including a mail client, calendar, a device locator, and file storage. On August 31, 2014 in an event dubbed as “The Fappening,” numerous A-list celebrities had nude photographs of themselves leaked onto the Internet. The pictures that were released were all at one point stored in Apple’s iCloud using each celebrity’s Apple ID user name and password to protect it. The initial assumption was that the entire iCloud infrastructure had been attacked and that any files stored in the cloud were compromised. This would prove to be a huge impact on the integrity of cloud service providers as a whole because the ability for an advanced persistent threat to compromise such a high-profile environment would numb both personal and business users from trusting 3rd parties to store their information without strict control over the security of their private data. However, after an internal investigation by Apple, the company released a statement announcing that “these celebrity accounts were compromised by a targeted attack on user names, passwords, and security questions.” This implies that the celebrities that were affected by “The Fappening” mass photo release all had weak passwords and weak security questions protecting those passwords. What is evident is that weak security practices from both Apple and end users of Apple’s iCloud provided malicious attackers with the opportunity to gain privileged access to accounts that they did not own.

In the next blog, I will continue to explain how both Apple and the celebrities could have implemented some best practices to completely avoid this event from occurring.

My Experience at the Deloitte Cyber Threat Competition

The Deloitte Foundation Cyber Threat Competition is 3-round national security competition. The premise is that schools can enter into the competition, and the students at each school compete solo through the first two rounds, and as a four-person team in the third round at Deloitte University in Westlake, Texas.

The lake outside of Deloitte University

The first round of the competition was a multiple choice quiz on a large range of security topics including some technical and some managerial questions. The 10 students that had the highest scores in this round moved onto round 2.

Round 2 consisted of an online capture the flag exercise with 10 different challenges that were available for two weeks. The challenges included login scripts that were vulnerable to SQL Injection, XSS vulnerable search queries, and hidden keys in data packet captures. Each challenge had a different point value, and the four students who scored the most points on this section were invited to travel to Deloitte University in Westlake, Texas.

I was one of the four students who was invited to represent Penn State University so this past week, I flew down to Texas to compete along with John Kissell, Jared Rittle, and Brady Ripka.

I didn't know any of the other three students that I was competing with other than through a few emails and text messages. However, Deloitte allowed us to arrive a day before the competition to stay in a hotel. We took this opportunity to grab a few drinks and get to know each other before the competition. In hind-sight, this probably gave us a slight edge because we seemed to be the only team that wasn't fighting through the awkward stage of getting to meet their team on the day of the competition.

A night at The Barn with ribs, pulled pork, macaroni, and brisket

After a fun night of watching hockey and having a ton of fun, we were transported to Deloitte University in a company-owned Escalade the following morning. At the University, we were in shock when we were greeted with the revelation that all of the food at Deloitte University was free and buffet-style. There were ribs, steaks, lamb legs, and beef jerky all made by what must be a fantastic group of chefs because we couldn't stop commenting on how delicious everything was.

Then it was time to get serious.

We moved into a room with all of the staff and students that were involved in the competition. After a short presentation with some cool text-based feedback on what we thought of the competition so far, we were introduced to our coaches. The coaches were all Deloitte employees who had previously attended the school that they were coaching for. This gave each team a good way to quickly get along with their coach, and eventually network with other coaches and students.

Next, we moved into a larger room with tables set up for each school. Each table had an scoring packet for the coaches, an inject packet for each student, and a laptop that was disconnected from the internet. This came as a surprise to many of the students because round 2 was such a challenging technical competition, and it suddenly became very obvious that there would be little technical skill required for this round.

Deloitte University main entrance

The format of round 3 was a cyber war game. Each team was acting as the information security staff at a fictional institution, Mammoth National Bank. The first inject was a letter from a "trusted" government agency that was notifying the bank of an imminent threat from a Russian hacking collective known as "The Ghosts." Within 10 minutes of receiving this notification, we were directed to give a verbal briefing on what was going on and how we were going to respond. This was 10% of our overall score for the competition.

The next 2 hours consisted of a series of injects being revealed from our inject packet. The event was designed to be fast-paced in order to simulate a stressful situation in a real business environment. We were provided with a new "Time of Day" and additional information about the event every 10-15 minutes. Our task as a team was to respond to each inject. Based on our responses, we were either given points on the coach's scorecard or the coach directed us to open another inject that provided more information. The scores received on this section constituted 30% of our overall score for the competition.

For example, one of the earlier injects was an email from the organizers of a banking conference that some of our employees had attended in the previous months. They notified our team that a company called InfoSaber registered under false pretenses and that they were handing out USB flash drives to attendees of the conference. One of our reactionary responses was to request a list of the attendees of the conference. This prompted another inject to be opened, which was an email indicating that 7 employees attended, 5 of these employees took flash drives, and that 1 empoyee plugged the drive into their work computer.

Each team was also given a $100,000 budget to spend on services to respond to injects. Some of the available services included basic forensic analysis, advanced forensic analysis, DDoS protection, emergency backup generators, external PR, and consultation with a Deloitte expert. With the expenses of each of these services, there was no possible way to purchase everything that we wanted, so we had to prioritize what we needed.

Throughout the event, we had to deal with a variety of situations including:

• A rootkit-infected flash drive that penetrated the network
• Customer reports of unavailable funds and unrecognized transactions
• Phishing emails to a regional bank manager
• A keylogger on the computer of a high-level access employee
• DDoS attacks on customer-facing websites
• Negative social media responses from customers
• Online sales of customer data
• Leaked company data including emails, salary information, and contracts
• Ransom requests

The Penn State team in the war game room

The Penn State team responded to each inject with maximized success because we were able to open all but two of our injects. We knew how to open the last two, but were only unable to do so due to budgetary restrictions because we prioritized customer relations over forensic analysis.

Our last inject was an email requesting a 15-minute briefing from the CEO the next morning. We were given 2 hours to prepare and submit a presentation to be given the next morning. We were instructed to use a template that guided us to provide specific information, but this proved to be useless. 

The next morning, our team showed up ready to present, under the impression that we would have 7 minutes to talk and 7 minutes for questions. However, after our introducing ourselves and telling the board of directors that we were under attack, we were immediately hammered with questions. This threw us off-guard a bit, but we responded well to the changing situation.

This proved to be much more realistic than we were expecting, which was perfect for providing a learning experience. A high-pressure presentation in front of a board of directors should never be an easy thing to do. There were certainly things that we were asked and didn't know. In fact, the judges knew that we weren't going to know many of the things being asked, and were expecting an answer similar to "We don't have that information right now, but we'll work on it and get back to you as quickly as possible."

Another point that the competition made is that when presenting to a board of directors, you need to speak their language. They're not going to know what a rootkit is, so there's no point in giving technical details. The stress has to be on giving a high-level overview of information that is important for the board to know. Even though there may be information that is important to the security team, it may not have any significance in that setting. The presentation was the last 60% of our overall score for the competition.

Although our team came in 4th place, I had a lot of fun, and learned even more. The entire experience was phenomenal and I can't thank Deloitte enough for the opportunity to learn along with some of the best security experts in the field.

What does the green padlock mean in your browser?

Have you ever noticed a green padlock in your browser when you type in a URL? Have you ever wondered what it meant? Does it mean the site is secure? Who decides which sites get one?

In short, a green padlock tells you that communications with the web site that you're on are encrypted. This means that when you type in your personal information, it will be translated into a completely unreadable format until it is changed back (decrypted) once the data reaches its destination.

The padlock also signifies that the legal entity that controls the website can be identified. This includes information such as the name, place of business, and jurisdiction of the site's owners.

TOP-SECRET Presidential Directive For Cyber Attacks Against Adversaries

A top secret document, released by Edward Snowden on June 7, 2013, reveals the ability of the United States Government to use aggressive action to counter cyberattacks on networks within the United States.

The document, signed by Barack Obama in October 2012, is called "Presidential Policy Directive 20" (PPD-20) and starts by explicitly stating that the directive "supersedes National Security Presidential Directive (NSPD)-38", which was a document authorizing U.S. government power to conduct surveillance through monitoring.

The top secret document describes two main subjects, these are Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO). Each of these are described as operations and related programs or activities conducted by or on behalf of the U.S. Government to protect against threats against national interests or to produce cyber effects outside of U.S. Government networks respectively.

One of the notable capabilities that are provided as a part of this top-secret document is that "OCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging."

Lenovo Superfish Bug Allows Attackers to View Your Web Traffic

Lenovo, the top-selling laptop brand in 2014, has released a tool to remove one of their default programs from your computer due to a bug that allows attackers to view browser traffic without a user's permission. If you own a Lenovo laptop, you may be vulnerable and should read on to learn how to remove the software.

The program, Superfish, is meant to be a pre-installed, but "safe," adware program for Lenovo laptops. It gave users shopping assistance to help find the cheapest items online using the images given by a website.

However, after exposure of the vulnerability in the software, Lenovo has released a program to check for the existence of and completely remove the vulnerable software from your computer. They have also provided instructions to manually remove the software through the uninstall window and removal of the security certificate on your local machine. Note: There are a few extra steps if you use FireFox or ThunderBird to remove additional certificates.

Click here for the software or find the steps to manually remove all traces of it.

Personally, my Lenovo laptop did not come with the software, so there was no need to remove it. Therefore, not EVERY Lenovo laptop is at risk, but every notebook owner should at least check their own machines. If you are interested in how the vulnerability is exploited, the technical details have been released by Errata Security here.

The NSA May Have Access To Your Hard Drive

The United States National Security Agency (NSA) has had access to the hard drives of thousands of personal computers for at least 14 years without ever installing malware on them from the internet. Spyware infections within the firmware of brand new hard drives from brands including Seagate, Western, Digital, IBM, Toshiba, Samsung, and Maxtor may have given the NSA the ability to exercise full remote access control on infected machines.

None of the companies involved have admitted knowledge that their hard drives were infected with the malware. The spyware is installed in the firmware of the devices, which is already installed on hard drives when you buy them from the store. This is executable code that can't be easily removed by an end-user; even by doing a full data wipe on a disk.

Largest Health Care Data Breach To Date: Anthem Inc.

On February 4th, 2015, Anthem Inc., formally known as Wellpoint Inc., announced that social security numbers, names, dates of birth, member IDs, addresses, phone numbers, email addresses, and employment information for up to 80 million customers had been stolen. Anthem is the world's second-largest health insurer in the United States.

While you may not recognize the name Anthem Inc, you may recognize some of the brands that they encompass that were affected by the breach, including: